Worked Examples: Using Calico-based OpenStack

Here are a few worked examples for common Calico on OpenStack deployment
scenarios. In particular, this will make it easy for
you to set up topologies and examine their connectivity to try to get an
understanding of the way Calico networks behave.

Example 1: Development Machine

In this example, a user wants to spin up a machine to use as a Linux
development environment. This user has a straightforward use-case: they
want a GUI and SSH access, but relatively little else.

This user is provisioned with a single OpenStack user and single
OpenStack tenant. Neutron will automatically provision them with a
single security group, default, that contains the following rules:

allow all inbound traffic from machines in the default security
group

allow all outbound traffic to anywhere

Per the instructions in this document, this user cannot create
Neutron networks or subnets, but they do have access to the networks
created by the administrator: external and internal.

Because the user wants to be able to reach the machine from their own
laptop, they need the machine to be reachable from outside the data
center. In vanilla Neutron, this would mean provisioning it with a
floating IP, but in Calico they instead want to make sure the VM is
attached to the external network. To add themselves to this network,
the user needs to find out the UUID for it:

This places the VM with a single NIC in the external network. The VM
starts to boot, and Neutron allocates it an IP address in the external
network: in this case, both an IPv4 and IPv6 address, as you can see
below:

While the machine boots, this tenant decides to configure their security
group. It needs four extra rules: one for SSH and three for VNC. This
developer’s personal machine has the IPv4 address 191.64.52.12, and
that’s the only machine they’d like to be able to access their machine.
For that reason, they add the four security group rules: